tripleo

ceph-admin ssh private key distribution could be more limited

Bug #1928717 reported by John Fulton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
John Fulton
tripleo xena-1

Bug Description

The distribution of the private key should be limited only to mons/mgrs within a ceph cluster. It should not be distributed to just any server within the ceph cluster, i.e. hosts in the osd group don't need the private key (having the public key in authorized_hosts is sufficient).

When ceph-admin-user-playbook.yml [1] calls the tripleo_create_admin role it uses distribute_private_key=true [2] and a private SSH key to access the mon/mgr nodes from ceph storage nodes is created [3] unnecessarily.

[1] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/playbooks/ceph-admin-user-playbook.yml#L59

[2] https://github.com/openstack/tripleo-ansible/commit/3d65bce9b3efdbadacee85b0593f4bdcf917528c

[3]
2021-04-23 17:40:08,434 p=830710 u=stack n=ansible | 2021-04-23 17:40:08.433870 | 24420180-73f1-94e9-9575-000000000028 | TASK | Install private key on nodes for user ceph-admin
2021-04-23 17:40:09,171 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.170774 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-0
2021-04-23 17:40:09,183 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.183393 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-ceph-0
2021-04-23 17:40:09,208 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.208432 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-2
2021-04-23 17:40:09,231 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.230506 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-compute-0
2021-04-23 17:40:09,242 p=830710 u=stack n=ansible | 2021-04-23 17:40:09.242402 | 24420180-73f1-94e9-9575-000000000028 | CHANGED | Install private key on nodes for user ceph-admin | oc0-controller-1

See original description
John Fulton (jfulton-org)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/791822

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791823

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-docs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-docs/+/791824

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/791822
Committed: https://opendev.org/openstack/tripleo-ansible/commit/4d3144fce380300b9f1ab3f00ed816c1fb055367
Submitter: "Zuul (22348)"
Branch: master

commit 4d3144fce380300b9f1ab3f00ed816c1fb055367
Author: John Fulton <email address hidden>
Date: Mon May 17 20:04:43 2021 +0000

    Limit cephadm private key distribution to mons/mgrs

    It is not necessary to distribute the ceph-admin user's
    private SSH key to every host of a Ceph service; only
    the hosts running the ceph_mgr and ceph_mon services
    need the private key. By default this is limited to
    the controller nodes only.

    The existing role calls the ceph-admin-user-playbook.yml.
    Split it into two calls which use --limit to target the
    necessary Ceph service hosts and set distribute_private_key
    to true only for mons/mgrs.

    Closes-Bug: #1928717
    Change-Id: I8343c419c140670f01bdc94b4c8130004bac64e1

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791823
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/9fb6b36f14cc3dc298a71f069ece78b0276c97bc
Submitter: "Zuul (22348)"
Branch: master

commit 9fb6b36f14cc3dc298a71f069ece78b0276c97bc
Author: John Fulton <email address hidden>
Date: Mon May 17 20:20:44 2021 +0000

    Move ceph_admin_extra_vars logic to tripleo-ansible

    Instead of creating ceph_admin_extra_vars with
    distribute_private_key always set to true, set
    that variable to true only when appropriate based
    on logic in the depends-on patch.

    Also, it is not necessary to override the values of
    tripleo_admin_generate_key or ssh_servers to create
    the ceph-admin user for cephadm.

    Related-Bug: #1928717
    Depends-On: I8343c419c140670f01bdc94b4c8130004bac64e1
    Change-Id: I2bacf82f85e5c78f5ae603460919cf3ff7130e9c

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/792761

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/792761
Committed: https://opendev.org/openstack/tripleo-ansible/commit/564453721de30d7ae19f381c328a212ac9a021ed
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 564453721de30d7ae19f381c328a212ac9a021ed
Author: John Fulton <email address hidden>
Date: Mon May 17 20:04:43 2021 +0000

    Limit cephadm private key distribution to mons/mgrs

    It is not necessary to distribute the ceph-admin user's
    private SSH key to every host of a Ceph service; only
    the hosts running the ceph_mgr and ceph_mon services
    need the private key. By default this is limited to
    the controller nodes only.

    The existing role calls the ceph-admin-user-playbook.yml.
    Split it into two calls which use --limit to target the
    necessary Ceph service hosts and set distribute_private_key
    to true only for mons/mgrs.

    Closes-Bug: #1928717
    Change-Id: I8343c419c140670f01bdc94b4c8130004bac64e1
    (cherry picked from commit 4d3144fce380300b9f1ab3f00ed816c1fb055367)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/792762
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/8775a8bbe1515f38cc7d3d619628f7eebcd4a037
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 8775a8bbe1515f38cc7d3d619628f7eebcd4a037
Author: John Fulton <email address hidden>
Date: Mon May 17 20:20:44 2021 +0000

    Move ceph_admin_extra_vars logic to tripleo-ansible

    Instead of creating ceph_admin_extra_vars with
    distribute_private_key always set to true, set
    that variable to true only when appropriate based
    on logic in the depends-on patch.

    Also, it is not necessary to override the values of
    tripleo_admin_generate_key or ssh_servers to create
    the ceph-admin user for cephadm.

    Related-Bug: #1928717
    Depends-On: I8343c419c140670f01bdc94b4c8130004bac64e1
    Change-Id: I2bacf82f85e5c78f5ae603460919cf3ff7130e9c
    (cherry picked from commit 9fb6b36f14cc3dc298a71f069ece78b0276c97bc)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-docs (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-docs/+/791824
Committed: https://opendev.org/openstack/tripleo-docs/commit/e5586f423b9512415de07931c4f893e4fc26a6b3
Submitter: "Zuul (22348)"
Branch: master

commit e5586f423b9512415de07931c4f893e4fc26a6b3
Author: John Fulton <email address hidden>
Date: Mon May 17 16:36:24 2021 -0400

    Update cephadm SSH key distribution description

    Change-Id: I32bdafba8ff0e2b549c2a3eed6144994643bb9cd
    Related-Bug: #1928717
    Depends-On: I8343c419c140670f01bdc94b4c8130004bac64e1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 3.1.2

This issue was fixed in the openstack/tripleo-ansible 3.1.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 4.0.0

This issue was fixed in the openstack/tripleo-ansible 4.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.